In Git, can we use Entrust Digital SW to sign tags and commits instead of gpg?
need your suggestions.
Asked
Active
Viewed 111 times
1 Answers
0
I don't believe git tag -s and git tag -v allow any key but GPG (but I could be wrong). From the man page:
-s, --sign
Make a GPG-signed tag, using the default e-mail address's key.
-v, --verify
Verify the gpg signature of the given tag names.
That written, annotated tags, i.e. those generated with git tag -a <tagname> allow arbitrary messages, much like commits. There's no reason you couldn't paste your keys into the message, and then your upstream maintainers (or whomever's doing the checks) could just manually verify the key. You can get at the message with git show <tag>, and it shouldn't be difficult to script the verification.
Christopher
- 42,720
- 11
- 81
- 99